* sshfs and autofs
@ 2009-12-18 4:08 Marc Weber
2009-12-18 22:01 ` Marc Weber
0 siblings, 1 reply; 15+ messages in thread
From: Marc Weber @ 2009-12-18 4:08 UTC (permalink / raw)
To: autofs
If you google for sshfs and autofs you'll find many howtos telling you
to create a private key without passwords because this works.
Most of of those Howtos tell you as well that you should not be doing
this for security reasons..
I've found another solution:
It tries connecting to each running ssh-agent. The first being able to
connect to the ssh location will be used. This way you can keep using
passwords and still use autofs.
#!/bin/sh -e
# PATH must contains openssh, sed, sshfs lsof and pgrep
pids=`pgrep ssh-agent`
if [ -z "$pids" ]; then
# no ssh-agent found. Maybe there is a key without password ? You should not be using this!
sshfs -o ssh_command="ssh -o NumberOfPasswordPrompts=0" "$@"
else
for p in $pids; do
export SSH_AGENT_PID=$p
export SSH_AUTH_SOCK=$(lsof -p $p -a -U -Fn | sed -n 's/^n//p')
echo "trying to connect using ssh-agent $p $SSH_AUTH_SOCK" 1>&2
sshfs -o ssh_command="ssh -o NumberOfPasswordPrompts=0" "$@" && exit 0 || true
done
exit 1
fi
Of course it is just a dirty script. However it does a much better job
than using no password.
Do you host such examples somewhere as well?
Marc Weber
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: sshfs and autofs 2009-12-18 4:08 sshfs and autofs Marc Weber @ 2009-12-18 22:01 ` Marc Weber 2009-12-20 15:54 ` Stef Bon 0 siblings, 1 reply; 15+ messages in thread From: Marc Weber @ 2009-12-18 22:01 UTC (permalink / raw) To: Marc Weber; +Cc: autofs The script I posted last let's still other users access your mounts which is bad. This script only queries the ssh-agents run by the uid specified in mount options (uid=..) It also uses sudo -u#uid to run ssfs causing a user mount. So other causes can still cause the mount. But they can't access the filesystem contents: # ls -l /auto/mlin; ls: cannot open directory /auto/mlin: Permission denied # ls -l /auto ls: cannot access /auto/mlin: Permission denied total 0 d????????? ? ? ? ? ? mlin Whatever those question marks mean? Updated script # setuid-wrappers for fusermount export PATH=/var/setuid-wrappers:${pkgs.coreutils}/bin:${pkgs.sshfsFuse}/bin:${pkgs.openssh}/bin:${pkgs.procps}/bin:${pkgs.lsof}/bin:${pkgs.gnused}/bin/:${pkgs.sudo}/bin pids=`pgrep ssh-agent` # get uid=nr from arguments uid=$(echo "$@"| sed -n 's@.*uid=\([0123456789]\+\).*@\1@p') connect(){ sudo=$1; shift $sudo sshfs -o ssh_command="ssh -o NumberOfPasswordPrompts=0" "$@" \ && exit 0 || true } # Change ownership of mountpoint. Ownership will be overridden when mount suceeds. # Otherwise fusermount can't access it (?!) chown $uid "$2" chmod u+w "$2" for p in $pids; do res="$(lsof -p $p -a -U -Fnu)" user_id=$(echo "$res"| sed -n 's/^u//p') if [ "$user_id" == "$uid" ]; then export SSH_AUTH_SOCK=$(echo "$res"| sed -n 's/^n//p') export SSH_AGENT_PID=$p echo "trying to connect using ssh-agent $p $SSH_AUTH_SOCK" 1>&2 # by using sudo -u allow accessing mount by target user - Is there a better way to achieve this?? connect "sudo -E -u#$user_id" "$@" echo -n " .. failed" 1>&2 fi done unset SSH_AGENT_PID; unset SSH_AUTH_SOCK # no ssh-agent found or they all belong to different users.. # Try again. Maybe there is a key without password ? # You should not be using this! connect "" "$@" exit 1 Can I make automount create those key directories with user permissions as well so that other users can't even cause a mount? Is there a better way to restrict acess to a user only compared to using sudo? Marc Weber ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-18 22:01 ` Marc Weber @ 2009-12-20 15:54 ` Stef Bon 2009-12-21 10:32 ` Marc Weber 0 siblings, 1 reply; 15+ messages in thread From: Stef Bon @ 2009-12-20 15:54 UTC (permalink / raw) To: Marc Weber; +Cc: autofs Marc Weber wrote: > The script I posted last let's still other users access your mounts > which is bad. > This script only queries the ssh-agents run by the uid specified in > mount options (uid=..) > It also uses sudo -u#uid to run ssfs causing a user mount. > So other causes can still cause the mount. But they can't access the > filesystem contents: > > # ls -l /auto/mlin; > ls: cannot open directory /auto/mlin: Permission denied > > # ls -l /auto > ls: cannot access /auto/mlin: Permission denied > total 0 > d????????? ? ? ? ? ? mlin > Well the question marks mean that glibc cannot figure out the permissions. This means probably that the mount has not been succesfull. > Whatever those question marks mean? > > > Updated script > > # setuid-wrappers for fusermount > export PATH=/var/setuid-wrappers:${pkgs.coreutils}/bin:${pkgs.sshfsFuse}/bin:${pkgs.openssh}/bin:${pkgs.procps}/bin:${pkgs.lsof}/bin:${pkgs.gnused}/bin/:${pkgs.sudo}/bin > pids=`pgrep ssh-agent` > # get uid=nr from arguments > uid=$(echo "$@"| sed -n 's@.*uid=\([0123456789]\+\).*@\1@p') > connect(){ > sudo=$1; shift > $sudo sshfs -o ssh_command="ssh -o NumberOfPasswordPrompts=0" "$@" \ > && exit 0 || true > } > # Change ownership of mountpoint. Ownership will be overridden when mount suceeds. > # Otherwise fusermount can't access it (?!) > chown $uid "$2" > chmod u+w "$2" > for p in $pids; do > res="$(lsof -p $p -a -U -Fnu)" > user_id=$(echo "$res"| sed -n 's/^u//p') > if [ "$user_id" == "$uid" ]; then > export SSH_AUTH_SOCK=$(echo "$res"| sed -n 's/^n//p') > export SSH_AGENT_PID=$p > echo "trying to connect using ssh-agent $p $SSH_AUTH_SOCK" 1>&2 > # by using sudo -u allow accessing mount by target user - Is there a better way to achieve this?? > connect "sudo -E -u#$user_id" "$@" > echo -n " .. failed" 1>&2 > fi > done > unset SSH_AGENT_PID; unset SSH_AUTH_SOCK > > # no ssh-agent found or they all belong to different users.. > # Try again. Maybe there is a key without password ? > # You should not be using this! > connect "" "$@" > exit 1 > > Does this work. I do not know anything about ssh agents. I n my construction I'm using the following command: sshfs "$unc_address" "$mountpoint" -o allow_other -o PasswordAuthentication='no' -o IdentityFile="$homedir/.ssh/id_dsa" -o UserKnownHostsFile="$homedir/.ssh/known_hosts" -o Compression='yes' where unc_address is of the form %USER%@192.168.0.1: where user is like sbon (me) or root. $homedir is the homedirectory of this user, and there has been a check the files like $homedir/.ssh/id_dsa are present. This works. There is no construction to prevent other users to activate the mount. I've created earlier a constrcution to mount ssh, and this was working with a mount.sshfs wrapper, which on his turn called sshfs through above commands. This was working. Now I'm working on a new construction which creates an seperate mountpoint for every user: /mnt/mount.md5key/%USER%/mount wher USER is again the user like sbon. the directory /mnt/mount.md5key/%USER% is owned by the user and has permissions 700, so no other user except root can access (and also activate) any mount. Hope this helps. Stef Bon > Can I make automount create those key directories with user permissions > as well so that other users can't even cause a mount? > > Is there a better way to restrict acess to a user only compared to using > sudo? > > Marc Weber > > _______________________________________________ > autofs mailing list > autofs@linux.kernel.org > http://linux.kernel.org/mailman/listinfo/autofs > > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-20 15:54 ` Stef Bon @ 2009-12-21 10:32 ` Marc Weber 2009-12-22 19:08 ` Stef Bon 0 siblings, 1 reply; 15+ messages in thread From: Marc Weber @ 2009-12-21 10:32 UTC (permalink / raw) To: Stef Bon; +Cc: autofs > > # ls -l /auto > > ls: cannot access /auto/mlin: Permission denied > > total 0 > > d????????? ? ? ? ? ? mlin > > > Well the question marks mean that glibc cannot figure out the > permissions. This means probably > that the mount has not been succesfull. It was. The user can access it. But root can't. > Does this work. I do not know anything about ssh agents. Than you should start to learn at least some basics. An ssh-agent is a process which keeps your "passwords" in memory to unlock the .ssh/id_* keys. Of course it works. I'm using it. > I n my construction I'm using the following command: > PasswordAuthentication='no' -o IdentityFile="$homedir/.ssh/id_dsa" -o This id_dsa, is it protected by password? If you use google to find out how to use automount and sshfs you'll find many instructions about how to generate a key with empty password and how to configure automount. However using an empty password is not an option for me. > the directory /mnt/mount.md5key/%USER% > is owned by the user and has permissions 700, so no other user except How do you assign these permissions 700 ? I didn't suceed Marc Weber ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-21 10:32 ` Marc Weber @ 2009-12-22 19:08 ` Stef Bon 2009-12-22 21:45 ` Marc Weber 0 siblings, 1 reply; 15+ messages in thread From: Stef Bon @ 2009-12-22 19:08 UTC (permalink / raw) To: Marc Weber; +Cc: autofs Marc Weber wrote: >>> # ls -l /auto >>> ls: cannot access /auto/mlin: Permission denied >>> total 0 >>> d????????? ? ? ? ? ? mlin >>> >>> >> Well the question marks mean that glibc cannot figure out the >> permissions. This means probably >> that the mount has not been succesfull. >> > It was. The user can access it. But root can't. > > >> Does this work. I do not know anything about ssh agents. >> > Than you should start to learn at least some basics. > An ssh-agent is a process which keeps your "passwords" in memory to > unlock the .ssh/id_* keys. > Of course it works. I'm using it. > Wow, I'm just making clear that I do not know anything these agents. I'm just asking you about it, but not doubting your abilities. > > >> I n my construction I'm using the following command: >> PasswordAuthentication='no' -o IdentityFile="$homedir/.ssh/id_dsa" -o >> > This id_dsa, is it protected by password? > If you use google to find out how to use automount and sshfs you'll find > many instructions about how to generate a key with empty password and > how to configure automount. However using an empty password is not an > option for me. > Here again I'm trying to help here. I'm just trying to figure out (see above) how your setup works, and I try to be of some help here. But it looks if you already know everything, and it looks as you don't want to be helped. Be a little bit more specific and understand that somebody else does not understand your setup immediatly, Stef Bon > >> the directory /mnt/mount.md5key/%USER% >> is owned by the user and has permissions 700, so no other user except >> > How do you assign these permissions 700 ? > I didn't suceed > > Marc Weber > > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-22 19:08 ` Stef Bon @ 2009-12-22 21:45 ` Marc Weber 2009-12-23 21:47 ` Stef Bon 0 siblings, 1 reply; 15+ messages in thread From: Marc Weber @ 2009-12-22 21:45 UTC (permalink / raw) To: Stef Bon; +Cc: autofs Excerpts from Stef Bon's message of Tue Dec 22 20:08:24 +0100 2009: > Marc Weber wrote: > >>> # ls -l /auto > >>> ls: cannot access /auto/mlin: Permission denied > >>> total 0 > >>> d????????? ? ? ? ? ? mlin > >>> > >>> > >> Well the question marks mean that glibc cannot figure out the > >> permissions. This means probably > >> that the mount has not been succesfull. > >> > > It was. The user can access it. But root can't. > > > > > >> Does this work. I do not know anything about ssh agents. > >> > > Than you should start to learn at least some basics. Sorry. I should have been more specific. I tried saying: If you have to login to multiple locations very often you should learn about ssh-agents because you'll benefit doing so. That's one point. The second point is if you still don't know about them and you're not going to read up what they are and why they are exist there is indeed no point you helping me because the reason I wrote that script was using ssh-agents. Anyway I think we can meet. You didn't reply to my question whether you're using empty passwords. So it looks to me that you're not aware about what I'm talking when saying "empty password". This looks strange to me because using automount directories per users seems to be advanced to me. Let me show you a complete example how to generate a key and use an ssh-agent: # important: enter a passphrase ssh-keygen -t rsa -f $HOME/id_rsa_tmp Enter passphrase (empty for no passphrase): PASSWORD Your identification has been saved in $HOME/id_rsa_tmp. Your public key has been saved in $HOME/id_rsa_tmp.pub. # now you can copy your key to remote machine, you have to enter your # remote password once: ssh-copy-id -i $HOME/id_rsa_tmp.pub user@remote Now you can login using ssh -i $HOME/id_rsa_tmp user@remote If you didn't use an empty password ssh will ask you for the id_rsa_tmp password each time uses the key. If you login and out frequently this is tedious. That's why you can do tmp=$(ssh-agent) echo "$tmp" eval "$tmp" ssh-add $HOME/id_rsa_tmp # thell the agent enter passphrase # no more passwords required: ssh user@remote 'echo done' ssh user@remote 'echo done' # kill agent so that when you leave the pc nobody # else can use your key. You can also specify timeouts and such. # (-> man ssh-agent) pkill -9 ssh-agent Of course if you're using an empty passphrase you don't need the ssh-agent at all. However if someone get's access to your private key he can login. If you use a passphrase he can't because he still has to know your passphrase. Now you've been using this line without ssh-agent: > >> PasswordAuthentication='no' -o IdentityFile="$homedir/.ssh/id_dsa" -o What would happen if you replaced .ssh/id_dsa with $HOME/id_rsa_tmp assuming you entered a passphrase? automount is running mount running sshfs running ssh which will find your password protected key. It doesn't know about any agents so it will try to ask you for the password by printing a "password:" prompt. But automount has no shell thus no prompt thus the mount will fail. For this reason you find many howtos when googling telling you how to setup keys with empty passwords because this just works. I have two goals: a) figuring out whether there are even nicer solutions b) telling people that they can use password protected private keys and automount using my script. > Here again I'm trying to help here. Thanks for doing so. I hope that this mail showing you how to use ssh-agents does help you a little bit understanding my configuration. Marc Weber ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-22 21:45 ` Marc Weber @ 2009-12-23 21:47 ` Stef Bon 2009-12-23 21:59 ` Stef Bon 2009-12-23 22:05 ` Marc Weber 0 siblings, 2 replies; 15+ messages in thread From: Stef Bon @ 2009-12-23 21:47 UTC (permalink / raw) To: Marc Weber; +Cc: autofs Marc Weber wrote: > Excerpts from Stef Bon's message of Tue Dec 22 20:08:24 +0100 2009: > >> Marc Weber wrote: >> >>>>> # ls -l /auto >>>>> ls: cannot access /auto/mlin: Permission denied >>>>> total 0 >>>>> d????????? ? ? ? ? ? mlin >>>>> >>>>> >>>>> >>>> Well the question marks mean that glibc cannot figure out the >>>> permissions. This means probably >>>> that the mount has not been succesfull. >>>> >>>> >>> It was. The user can access it. But root can't. >>> >>> >>> >>>> Does this work. I do not know anything about ssh agents. >>>> >>>> >>> Than you should start to learn at least some basics. >>> > Sorry. I should have been more specific. > I tried saying: If you have to login to multiple locations very often > you should learn about ssh-agents because you'll benefit doing so. > > That's one point. The second point is if you still don't know about them > and you're not going to read up what they are and why they are exist > there is indeed no point you helping me because the reason I wrote that > script was using ssh-agents. > > Anyway I think we can meet. You didn't reply to my question whether > you're using empty passwords. So it looks to me that you're not aware > about what I'm talking when saying "empty password". This looks strange > to me because using automount directories per users seems to be > advanced to me. > > Let me show you a complete example how to generate a key and use an > ssh-agent: > > # important: enter a passphrase > > ssh-keygen -t rsa -f $HOME/id_rsa_tmp > Enter passphrase (empty for no passphrase): PASSWORD > Your identification has been saved in $HOME/id_rsa_tmp. > Your public key has been saved in $HOME/id_rsa_tmp.pub. > > # now you can copy your key to remote machine, you have to enter your > # remote password once: > ssh-copy-id -i $HOME/id_rsa_tmp.pub user@remote > > Now you can login using > ssh -i $HOME/id_rsa_tmp user@remote > > If you didn't use an empty password ssh will ask you for the id_rsa_tmp > password each time uses the key. > If you login and out frequently this is tedious. That's why you can do > > tmp=$(ssh-agent) > echo "$tmp" > eval "$tmp" > ssh-add $HOME/id_rsa_tmp # thell the agent enter passphrase > # no more passwords required: > ssh user@remote 'echo done' > ssh user@remote 'echo done' > # kill agent so that when you leave the pc nobody > # else can use your key. You can also specify timeouts and such. > # (-> man ssh-agent) > pkill -9 ssh-agent > > Of course if you're using an empty passphrase you don't need the > ssh-agent at all. > However if someone get's access to your private key he can login. > If you use a passphrase he can't because he still has to know your > passphrase. > > Now you've been using this line without ssh-agent: > >>>> PasswordAuthentication='no' -o IdentityFile="$homedir/.ssh/id_dsa" -o >>>> > > What would happen if you replaced .ssh/id_dsa with $HOME/id_rsa_tmp > assuming you entered a passphrase? > automount is running mount running sshfs running ssh > which will find your password protected key. It doesn't know about any > agents so it will try to ask you for the password by printing a > "password:" prompt. But automount has no shell thus no prompt thus the > mount will fail. > Ok thanks for the explenation. This makes much more clear what the problem is. Let me explain my construction. When a session begins, an autofs managed mountpoint is added to a seperate auto.master file, located in /var/run/autofs. If a seperate automounter is not already running, it is started, with this auto.master file as paramter. After login of root for example(on the login or via ssh - this is not really important how) this file looks like: /mnt/mount.md5key/root/mount /etc/autofs/auto.md5key AUTOFS_USER=root (this whole adding thing when a session starts is done with help of ConsoleKit... in future I'll try Upstart) Of course the directory /mnt/mount.md5key/root/mount is created first, and the directory /mnt/mount.md5key/root has permissions 700 and is owned by the user for which this mountpoint is, in this case root. But in any case no other user (except root, but in this case this is the same user) can enter the mountpoint and/or activate it. The file /etc/autofs/auto.md5key is the most simple map file: * -fstype=md5key :/& And this is a great feature of the automounter, the filesystem md5key does not have to be a "real" filesystem. It just passes the filesystem type (md5key) to the mount command, which on his turn looks for the mount.md5key command, which I've created, and is actually a wrapper to run the right mount command (mount.cifs, curlftpfs, sshs, .....or even mounting of USB). Basicin this constrcution are "connection" records, where the information is stored about the remote or local address. For samba shares, such a record is like: cd /var/cache/mount.md5key/1bf8a01af6d3eb08ffa08b9b6578f514 /var/cache/mount.md5key/1bf8a01af6d3eb08ffa08b9b6578f514 ]# cat config NET_service=smb LOCAL_user=root SMB_workgroup=BONONLINE SMB_name=LFS20060812 SMB_share=public SMB_ip=192.168.0.2 SMB_auth_method=guest The md5key is the md5sum of this config file. A config file for a SSH address may look like (I'm not using it at this moment so I may forget something): NET_service=ssh LOCAL_user=root SSH_server=192.168.0.2 SSH_auth_method=agent Now the md5sum of this file is 2b2468c31ab6a00a3f47d5df01d7a116, create this directory: install -d /var/cache/mount.md5key/2b2468c31ab6a00a3f47d5df01d7a116 and move this record in it: mv <from somehere>/config /var/cache/mount.md5key/2b2468c31ab6a00a3f47d5df01d7a116 Now to access this resource, direct access is not very userfriendly, the md5keys only make sense to the computer, not the user. I've created a script which scans the cache (in /var/cache/mount.md5key/) for available resources for a user, and creates a tree in the homedirectory, which makes sense to the user, with symboliclinks to the right md5key entries: For me still as root this looks like: ~/Network/Windows Network/BONONLINE/LFS20060812/public -> /mnt/mount.md5key/root/mount/1bf8a01af6d3eb08ffa08b9b6578f514 and ~/Network/SSH access/192.168.0.2 -> /mnt/mount.md5key/root/mount/2b2468c31ab6a00a3f47d5df01d7a116 When entering these directories, (read following the link) the mount.md5key command looks for the key in /var/cache/mount.md5key/ directory, finds it, looks for the config file and launches the right mount command with the right parameters. You see the whole intelligent thing is done by the mount.md5key command, getting al the right information out off the config file. Now there are more I can tell you about this. The information about remote and local resources is not static. With Samba shares there are some utilities which cann help you to find out the resources a user logged in has access to, like nbtscan, nmblookup and smbclient. For other resources there might be other utilities. Futher I do not like these symbolic links. When following them, you as user might end up with your favorite app in /mnt/mount.md5key/%USER%/mount directory, looking to strange looking directories on a strange place in the filesystem. Thats the reason I'm working on an fuse modules (fuse-workspace I've called it) which mirrors this connections tree, where it's possible to make some symbolic links look like directories. It's too complicated, but look at http://linux.bononline.nl/linux/fuse-workspace/index.php and http://linux.bononline.nl/linux/mount.md5key/index.php http://linux.bononline.nl/linux/runsessionscripts/index.php Now to get back to your problem, as I understand it, I've read some manpages, and yes I'm using private/public keys without passphrase. I did not know about agents until now. I understand that this communication through this agent makes it easier to make a ssh connection. If I'm wrong please correct. Next add the .ssh/id_dsa and .ssh/id_rsa and .ssh/identity files with ssh-add. If this is done, other applications do not have to enter the passphrase anymore, if they make use of this agent, which they can find though the environment variables. But the ssh-add command asks for the passphrase, and if done in an environment with the automounter you have a problem here, I understand. In my setup the mount.md5key command has to find out who is activating the mount, and what the evironment is (simple terminal or X) and present a "passphrase" dialog. Apart problem: how to store the information about the agent for other apps. This is the whole problem, because this is not easy. The automounter (read man 5 autofs) can offer variables like USER, UID, etc,HOST of the user requesting the mount (according to the manpage). Then to present this user a suitable dialog... maybe via dbus??? I do not have a sollution for you here, sorry, I can ony analyze it's difficult. I think that your script tries to offer a dialog somehere, but that it does not reach you as user... Earlier I've thought about this when entering a Windows/Samba share, but I left it for exact these reasons. Somebody else?? Stef Bon > For this reason you find many howtos when googling telling you how to > setup keys with empty passwords because this just works. > > I have two goals: > a) figuring out whether there are even nicer solutions > b) telling people that they can use password protected private keys and > automount using my script. > > >> Here again I'm trying to help here. >> > Thanks for doing so. > > I hope that this mail showing you how to use ssh-agents does help you a > little bit understanding my configuration. > > Marc Weber > > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-23 21:47 ` Stef Bon @ 2009-12-23 21:59 ` Stef Bon 2009-12-23 22:16 ` Marc Weber 2009-12-23 22:05 ` Marc Weber 1 sibling, 1 reply; 15+ messages in thread From: Stef Bon @ 2009-12-23 21:59 UTC (permalink / raw) To: Marc Weber; +Cc: autofs Stef Bon wrote: > > > This is the whole problem, because this is not easy. The automounter > (read man 5 autofs) can offer variables like USER, UID, etc,HOST > of the user requesting the mount (according to the manpage). Then to > present this user a suitable dialog... maybe via dbus??? I'm silly here, the user is not the problem, this is already available, in the options, or - in my construction - in the config file, in the parameter AUTOFS_USER and in the mountpath, but the environment this user is using! A pid of the process would be very usefull, for example. But this is not easy. When I'm logged in twice with the same account, which session should get the question for the passphrase? Stef ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-23 21:59 ` Stef Bon @ 2009-12-23 22:16 ` Marc Weber 2009-12-23 22:31 ` Stef Bon 0 siblings, 1 reply; 15+ messages in thread From: Marc Weber @ 2009-12-23 22:16 UTC (permalink / raw) To: Stef Bon; +Cc: autofs Excerpts from Stef Bon's message of Wed Dec 23 22:59:48 +0100 2009: > Stef Bon wrote: > > > > > > This is the whole problem, because this is not easy. The automounter > > (read man 5 autofs) can offer variables like USER, UID, etc,HOST > > of the user requesting the mount (according to the manpage). Then to > > present this user a suitable dialog... maybe via dbus??? > > I'm silly here, the user is not the problem, this is already available, > in the options, or - in my construction - in the config file, in the > parameter AUTOFS_USER > and in the mountpath, but the environment this user is using! A pid of > the process would be very usefull, for example. > But this is not easy. When I'm logged in twice with the same account, > which session should get the question for the passphrase? About which session are you talking now? A ssh-agent session determined by SSH_AGENT_PID and SSH_AUTH_SOCKET ? Add this to your .bashrc or .zshrc: reuseSSHAgent () { local f=~/.current-ssh-agent . $f || true ps -p "$SSH_AGENT_PID" &> /dev/null || { ssh-agent | grep -v echo > $f . $f ssh-add } } reuseSSHAgent If there is a ssh agent running it will be used if not it will be started. Then ssh-add will be run (I use only one key so this is comfortable to me ..) Maybe I should check that the socket file exists then I would'nt have to run ps. Gentoo has a nice script called "keychain" which provides this and more for ssh-agent and the gnu-gpg agent. However I felt it was too bloated and replaced it by this function. You really don't want to type your password twice, do you ? :) Marc Weber ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-23 22:16 ` Marc Weber @ 2009-12-23 22:31 ` Stef Bon 2009-12-23 22:53 ` Marc Weber 0 siblings, 1 reply; 15+ messages in thread From: Stef Bon @ 2009-12-23 22:31 UTC (permalink / raw) To: Marc Weber; +Cc: autofs Marc Weber wrote: > Excerpts from Stef Bon's message of Wed Dec 23 22:59:48 +0100 2009: > >> Stef Bon wrote: >> >>> This is the whole problem, because this is not easy. The automounter >>> (read man 5 autofs) can offer variables like USER, UID, etc,HOST >>> of the user requesting the mount (according to the manpage). Then to >>> present this user a suitable dialog... maybe via dbus??? >>> >> I'm silly here, the user is not the problem, this is already available, >> in the options, or - in my construction - in the config file, in the >> parameter AUTOFS_USER >> and in the mountpath, but the environment this user is using! A pid of >> the process would be very usefull, for example. >> But this is not easy. When I'm logged in twice with the same account, >> which session should get the question for the passphrase? >> > > About which session are you talking now? A ssh-agent session determined > by SSH_AGENT_PID and SSH_AUTH_SOCKET ? > > Add this to your .bashrc or .zshrc: > > reuseSSHAgent () { > local f=~/.current-ssh-agent > . $f || true > ps -p "$SSH_AGENT_PID" &> /dev/null || { > ssh-agent | grep -v echo > $f > . $f > ssh-add > } > } > reuseSSHAgent > > If there is a ssh agent running it will be used if not it will be > started. Then ssh-add will be run (I use only one key so this is > comfortable to me ..) > > Maybe I should check that the socket file exists then I would'nt have to > run ps. > > Gentoo has a nice script called "keychain" which provides this and more > for ssh-agent and the gnu-gpg agent. However I felt it was too bloated > and replaced it by this function. > > You really don't want to type your password twice, do you ? :) > No, but sometimes inevitable. I'm talking about the usersession. When logged in twice, and I'm activating the mount at the second session (or login) how does the automounter and the mount script know which usersession to present a dialog. This is no issue when you first enter the passphrase manually in the first session, make use of it and reuse it on the second. Stef ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-23 22:31 ` Stef Bon @ 2009-12-23 22:53 ` Marc Weber 2009-12-24 14:12 ` Stef Bon 0 siblings, 1 reply; 15+ messages in thread From: Marc Weber @ 2009-12-23 22:53 UTC (permalink / raw) To: Stef Bon; +Cc: autofs Excerpts from Stef Bon's message of Wed Dec 23 23:31:15 +0100 2009: > Marc Weber wrote: > > Excerpts from Stef Bon's message of Wed Dec 23 22:59:48 +0100 2009: > > > >> Stef Bon wrote: > >> > >>> This is the whole problem, because this is not easy. The automounter > >>> (read man 5 autofs) can offer variables like USER, UID, etc,HOST > >>> of the user requesting the mount (according to the manpage). Then to > >>> present this user a suitable dialog... maybe via dbus??? > >>> > >> I'm silly here, the user is not the problem, this is already available, > >> in the options, or - in my construction - in the config file, in the > >> parameter AUTOFS_USER > >> and in the mountpath, but the environment this user is using! A pid of > >> the process would be very usefull, for example. > >> But this is not easy. When I'm logged in twice with the same account, > >> which session should get the question for the passphrase? > >> > > > > About which session are you talking now? A ssh-agent session determined > > by SSH_AGENT_PID and SSH_AUTH_SOCKET ? > > > > Add this to your .bashrc or .zshrc: > > > > reuseSSHAgent () { > > local f=~/.current-ssh-agent > > . $f || true > > ps -p "$SSH_AGENT_PID" &> /dev/null || { > > ssh-agent | grep -v echo > $f > > . $f > > ssh-add > > } > > } > > reuseSSHAgent > > > > If there is a ssh agent running it will be used if not it will be > > started. Then ssh-add will be run (I use only one key so this is > > comfortable to me ..) > > > > Maybe I should check that the socket file exists then I would'nt have to > > run ps. > > > > Gentoo has a nice script called "keychain" which provides this and more > > for ssh-agent and the gnu-gpg agent. However I felt it was too bloated > > and replaced it by this function. > > > > You really don't want to type your password twice, do you ? :) > > > No, but sometimes inevitable. > > I'm talking about the usersession. When logged in twice, and I'm > activating the mount at the second session (or login) > how does the automounter and the mount script know which usersession to > present a dialog. > > This is no issue when you first enter the passphrase manually in the > first session, make use of it and reuse it on the second. > > Stef How does wall work ? Maybe it should be asked on all terminals. This would work. But that's the reason why I didn't even try to find a solution. If automount knew about the process id there might be a chance figuring out about the tty being used.. But it's not a problem for me so I won't fix it unless you have an idea which can be implemented fast. Marc Weber ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-23 22:53 ` Marc Weber @ 2009-12-24 14:12 ` Stef Bon 2009-12-24 23:52 ` Marc Weber 0 siblings, 1 reply; 15+ messages in thread From: Stef Bon @ 2009-12-24 14:12 UTC (permalink / raw) To: Marc Weber; +Cc: autofs Marc Weber wrote: > Excerpts from Stef Bon's message of Wed Dec 23 23:31:15 +0100 2009: > >> Marc Weber wrote: >> >>> Excerpts from Stef Bon's message of Wed Dec 23 22:59:48 +0100 2009: >>> >>> >>>> Stef Bon wrote: >>>> >>>> >>>>> This is the whole problem, because this is not easy. The automounter >>>>> (read man 5 autofs) can offer variables like USER, UID, etc,HOST >>>>> of the user requesting the mount (according to the manpage). Then to >>>>> present this user a suitable dialog... maybe via dbus??? >>>>> >>>>> >>>> I'm silly here, the user is not the problem, this is already available, >>>> in the options, or - in my construction - in the config file, in the >>>> parameter AUTOFS_USER >>>> and in the mountpath, but the environment this user is using! A pid of >>>> the process would be very usefull, for example. >>>> But this is not easy. When I'm logged in twice with the same account, >>>> which session should get the question for the passphrase? >>>> >>>> >>> About which session are you talking now? A ssh-agent session determined >>> by SSH_AGENT_PID and SSH_AUTH_SOCKET ? >>> >>> Add this to your .bashrc or .zshrc: >>> >>> reuseSSHAgent () { >>> local f=~/.current-ssh-agent >>> . $f || true >>> ps -p "$SSH_AGENT_PID" &> /dev/null || { >>> ssh-agent | grep -v echo > $f >>> . $f >>> ssh-add >>> } >>> } >>> reuseSSHAgent >>> >>> If there is a ssh agent running it will be used if not it will be >>> started. Then ssh-add will be run (I use only one key so this is >>> comfortable to me ..) >>> >>> Maybe I should check that the socket file exists then I would'nt have to >>> run ps. >>> >>> Gentoo has a nice script called "keychain" which provides this and more >>> for ssh-agent and the gnu-gpg agent. However I felt it was too bloated >>> and replaced it by this function. >>> >>> You really don't want to type your password twice, do you ? :) >>> >>> >> No, but sometimes inevitable. >> >> I'm talking about the usersession. When logged in twice, and I'm >> activating the mount at the second session (or login) >> how does the automounter and the mount script know which usersession to >> present a dialog. >> >> This is no issue when you first enter the passphrase manually in the >> first session, make use of it and reuse it on the second. >> >> Stef >> > > How does wall work ? > Maybe it should be asked on all terminals. > This would work. > But that's the reason why I didn't even try to find a solution. > > If automount knew about the process id there might be a chance figuring > out about the tty being used.. > > But it's not a problem for me so I won't fix it unless you have an idea > which can be implemented fast. > > Marc Weber > > Well maybe PAM can help you here. If you login with a password through pam, there are pammodules which can do something with the authentication. Long time ago I've setup a pam constrcution which stores the username and the password in a file. The module I used was pam_script.so, which is developed not by the PAM team, but since some time there is pam_exec.so, which does the same. My login file in /etc/pam.d looks like: #%PAM-1.0 auth required pam_shells.so #auth required pam_env.so readenv=0 auth required pam_script.so onauth=/etc/security/onauth.ldap expose=authtok (A) auth sufficient pam_ldap.so use_first_pass auth required pam_script.so expose=authtok (B) auth required pam_unix.so audit md5 shadow try_first_pass account required pam_nologin.so account sufficient pam_unix.so account optional pam_ldap.so password sufficient pam_unix.so try_first_pass use_authtok md5 shadow password required pam_ldap.so session required pam_script.so runas=root (C) session optional pam_limits.so session required pam_ck_connector.so session optional pam_mail.so dir=/var/mail standard session required pam_unix.so shadow md5 session required pam_ldap.so Let me explain what happens here: at (A) the modules pam_script asks for a password, and exposes to the script onauth.ldap. This script is in the /etc/security directory. Of this option is not supplied the default script onauth is run. The onauth.ldap script is a symlink to onauth. It stores the password, in the environment var PAM_AUTHTOK in a file on a temporary drive, created at boottime, on my system at /var/run/safe: tmpfs on /var/run/safe type tmpfs (rw,size=500k) It's of course protected that only root can access these passwords, and the user self. Earlier I've also used encryption here, but a temporary drive which does not exist when the system is down is sufficient. Now the onauth.ldap script stores the password the /var/run/safe/sbon/ldap dir, in the password.tmp file, and it creates a symlink to it like: /var/run/safe/sbon/latest -> /var/run/safe/sbon/ldap assuming sbon (me) is trying to login. I wanted to make it obvious which authentification service has been successfull. Next is the pam_ldap.so module. Now if succesfull, all futher modules in the auth fase are skipped, and it jumps to the session fase, to open a session. If not successfull, it will go to (B), which runs the onauth script. This will create the /var/run/safe/sbon/local directory, also containing a password.tmp file with the provided password, and removes the /var/run/safe/sbon/latest dir, with all the contents, and recreates the symlink: /var/run/safe/sbon/latest -> /var/run/safe/sbon/local If this is still not successfull, nothing happens futher here, login is denied. (maybe there should also be a pam_script here: cleaning up) If successfull it jumps to the session fase. There is also a pam_script in the session fase, running the /etc/security/onsessionopen script. This looks for a password.tmp file in the /var/run/safe/sbon/latest and moves it to the password file. It's obvious that the password stored in this file is the right one. Next it runs scripts it find in the /etc/session.d/pam/onsessionopen/*.sh directory. One thing done on my system is done by a create_smb_credentialfile.sh, which creates a mount.smb.cred file, also in /var/run/safe/sbon/latest dir, which is used by other programs later like the mounting of SMB shares through cifs. I'm having a central account database stored in ldap, which is used for my logins (through pam_ldap.so) and for the Samba servers. This way I can login my samba servers with the same credentials I've provided at login. Now to get back to your ssh problem, it is not so hard to make in stead of creating a credentialsfile, running ssh-agent, and ssh-add. The only issue here is that you have to use the same passphrase for your ssh id keys as your password you login with (or a converted unique value of that, like the md5key). Next is to make ssh-add make use of the passphrase in the password file, or an environment var, or from stdin like cat password | ssh-add or something... (or something like cat password | md5sum | awk '{ print $1 }' | ssh-add ....) This works but is hell to maintain when your password is changed, and you are working on more than one machine. The keys are not mainainted centrally on a server (like kerberos) but on every host you work. Hope this is what you're looking for. Stef ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-24 14:12 ` Stef Bon @ 2009-12-24 23:52 ` Marc Weber 0 siblings, 0 replies; 15+ messages in thread From: Marc Weber @ 2009-12-24 23:52 UTC (permalink / raw) To: Stef Bon; +Cc: autofs Hi Stef, You don't have to put any further effort into this. The solution I found is working for me. The keypoint about ssh passwords is that you don't store them on disk. So if anyone get's access to your filesystem (or disk) he still can't use the key. What you describe is used to keep samba passwords up to date AFAIK. I'd rather spend time on updating the HOWTO or creating a wiki. But I don't know how to contact the maintainer. I wrote that in another mail recently.. Marc Weber ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-23 21:47 ` Stef Bon 2009-12-23 21:59 ` Stef Bon @ 2009-12-23 22:05 ` Marc Weber 2009-12-23 22:19 ` Stef Bon 1 sibling, 1 reply; 15+ messages in thread From: Marc Weber @ 2009-12-23 22:05 UTC (permalink / raw) To: Stef Bon; +Cc: autofs > I think that your script tries to offer a dialog somehere, but that it > does not reach you as user... No, it doesn't because it would have been too much work thinking about how to present that. DISPLAY=:0.0 some_dialog does work for X and (my) current use case. But it doesn't work for all use cases. So my script the user knows about this issue and will run ssh-add manually before mounting anything. Marc Weber ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sshfs and autofs 2009-12-23 22:05 ` Marc Weber @ 2009-12-23 22:19 ` Stef Bon 0 siblings, 0 replies; 15+ messages in thread From: Stef Bon @ 2009-12-23 22:19 UTC (permalink / raw) To: Marc Weber; +Cc: autofs Marc Weber wrote: >> I think that your script tries to offer a dialog somehere, but that it >> does not reach you as user... >> > > No, it doesn't because it would have been too much work thinking about > how to present that. > DISPLAY=:0.0 some_dialog > > does work for X and (my) current use case. But it doesn't work for all > use cases. > > So my script the user knows about this issue and will run > > ssh-add manually before mounting anything. > > Marc Weber > > Well exactly!. I get it, this is a way to make this work. Do you think this is ok, or don't you want this manually thing?? Stef ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2009-12-24 23:52 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-12-18 4:08 sshfs and autofs Marc Weber 2009-12-18 22:01 ` Marc Weber 2009-12-20 15:54 ` Stef Bon 2009-12-21 10:32 ` Marc Weber 2009-12-22 19:08 ` Stef Bon 2009-12-22 21:45 ` Marc Weber 2009-12-23 21:47 ` Stef Bon 2009-12-23 21:59 ` Stef Bon 2009-12-23 22:16 ` Marc Weber 2009-12-23 22:31 ` Stef Bon 2009-12-23 22:53 ` Marc Weber 2009-12-24 14:12 ` Stef Bon 2009-12-24 23:52 ` Marc Weber 2009-12-23 22:05 ` Marc Weber 2009-12-23 22:19 ` Stef Bon
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.